A security startup has developed a platform that gives security professionals a much larger picture of what has happened on their network, even if they might have missed the initial signs of an intrusion.
It comes from ProtectWise, a 30-person company based in Denver, which is revealing more information on its technology after lying low since its founding in April 2013.
ProtectWise’s broad aims are to consolidate many threat detection functions for which companies use a variety of products, said Scott Chasin, the company’s CEO, who was McAfee’s CTO from 2009 through 2012.
The company has developed what it calls the ProtectWise Cloud Network DVR, which is compromised of a cluster of lightweight sensors that are deployed at points on a network.
Those sensors record network data and ship it securely to Amazon’s cloud, where ProtectWise performs a variety of analyses on it to determine if something strange is going on.
Chasin said that kind of data retention has typically been very expensive, and there is usually only a small retention window.
“We like to use the analogy of a camera because it’s software that can be massively distributed that is always recording,” Chasin said. “It’s that level of visibility that is missing from the industry.”
Customers can choose what they want to record, but the sensors can capture everything, Chasin said. The advantage for administrators is that they can go back and “replay” network activity from the past during forensic investigations, where the first signs of attack might not have been noticed.
Companies are struggling to detect data breaches, and studies show there may be a gap of up six months between when an organization is attacked and when it finds out a breach has occurred.
Security companies see overwhelming amounts of data on attacks and malware activity daily. But in many cases, only later after a detailed forensic analysis is performed does the full scope of an attack become clear.
While ProtectWise’s platform is intended to help spot attacks that are underway, it’s also designed to let administrators use forensic data gained from other attacks to figured out if they have been victimized as well.
The startup has built a very slick front end—which ProtectWise terms a “head-up display”—to view attack data. It’s an active display that is designed not be overwhelming but to give a view of the network activity in real time. The same interface can be used to go back in time to view historical network data.
“One thing that gives ProtectWise a fair claim to uniqueness is the way they analyze and present that data,” said Tony Palmer, a senior engineer and analyst with the Enterprise Strategy Group who visited ProtectWise’s facility to view a demo of the application. “That’s definitely something that really impressed us.”
For those who are worried about shipping their entire network data to the cloud, ProtectWise has developed a way to make its storage more secure.
It calls the method “network shattering,” and it involves splitting up data sent to its cloud platform and scattering it. The data is encrypted, of course, but it’s also spread across ProtectWise’s storage infrastructure. An attacker capturing part of the data couldn’t reconstruct it or identify which organization it belongs to.
ProtectWise’s customers hold all the decryption keys and can revoke those keys to make the data inaccessible, said Gene Stevens, ProtectWise’s CTO.
ProtectWise charges based on how much data a customer wants to record and how long they want it retained. Its standard offering is one year of data retention, but it can be more if a customer chooses, Chasin said.
Universal Music Group has been testing ProtectWise.
“Until now, it was a luxury to be able to retain and continuously analyze full packet capture for more than a two-week period, and it was impossible to automatically play it back for retrospective analysis and detection,” said Arthur Lessard, senior vice president and chief information security officer at Universal Music Group, in an email comment.